PHP OAuth 2.0 Server Versions Save

A spec compliant, secure by default PHP OAuth 2.0 Server

9.0.0-RC1

1 month ago

Added

  • Device Authorization Grant added (PR #1074)
  • GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
  • A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
  • The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
  • An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
  • Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

  • If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

  • Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
  • Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
  • AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

  • Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

8.5.4

8 months ago

Added

  • Support for league/uri ^7.0 (PR #1367)

8.4.2

9 months ago

Security

  • If a key string is provided to the CryptKey constructor with an invalid passphrase, the LogicException message generated will contain the given key. The key is no longer leaked via this exception (PR #1359)

8.5.3

10 months ago

Security

  • If a key string is provided to the CryptKey constructor with an invalid passphrase, the LogicException message generated will expose the given key. The key is no longer leaked via this exception (PR #1353)

8.5.2

10 months ago

Changed

  • Bumped the versions for laminas/diactoros and psr/http-message to support PSR-7 v2.0 (PR #1339)

8.5.1

1 year ago

Fixed

  • Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)

8.5.0

1 year ago

Added

  • Support for PHP 8.1 and 8.2 (PR #1333)

Removed

  • Support PHP 7.2, 7.3, and 7.4 (PR #1333)

8.4.1

1 year ago

Fixed

  • Fix deprecation notices for PHP 8.x (PR #1329)

8.4.0

1 year ago

Added

  • You can now set a leeway for time drift between servers when validating a JWT (PR #1304)

Security

  • Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent a PKCE downgrade attack (PR #1326)

8.3.6

1 year ago

Fixed

  • Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)